Secunia Advisory: SA26027
Release Date: 2007-07-11
Critical:Highly critical
Impact: Exposure of sensitive information
System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Flash CS3
Adobe Flash Player 9.x
Adobe Flex 2.x
Macromedia Flash 8.x
Macromedia Flash Player 7.x
Macromedia Flash Player 8.x
CVE reference: CVE-2007-2022 (Secunia mirror)
CVE-2007-3456 (Secunia mirror)
CVE-2007-3457 (Secunia mirror)
Description:
Some vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system.
1) An input validation error can be exploited to execute arbitrary code when a user e.g. visits a malicious website.
The vulnerability affects versions 9.0.45.0 and prior.
2) An error within the interaction of Flash Player and certain browsers can be exploited to leak key presses to a Flash Player applet.
The vulnerability affects versions 7.0.69.0 and prior on Linux and Solaris. It does not affect Flash Player 9.
A bug has also been reported in the validation of the HTTP Referer in versions 8.0.34.0 and prior, which may aid in e.g. CSRF (Cross-Site Request Forgery) attacks.
Secunia has constructed the Secunia Software Inspector, which you can use to check if your system is vulnerable:
http://secunia.com/software_inspector/
Solution:
Apply updates.
Flash Player 9.0.45.0 and earlier (update to version 9.0.47.0):
http://www.adobe.com/go/getflash
Flash Player 9.0.45.0 and earlier - network distribution (update to version 9.0.47.0):
http://www.adobe.com/licensing/distribution
Flash CS3 Professional (update to version 9.0.47.0):
http://www.adobe.com/support/flashplayer/downloads.html
Flash Professional 8, Flash Basic (update to version 8.0.35.0):
http://www.adobe.com/support/flashplayer/downloads.html
Flex 2.0 (update to version 9.0.47.0):
http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9
Flash Player version 7.0.70.0 for Linux and Solaris reportedly fixes vulnerability #2 for Opera and Konqueror browsers.
Bollettino Secunia
Aggiornate le Flash sia per Firefox che per I.E sono diverse
Release Date: 2007-07-11
Critical:Highly critical
Impact: Exposure of sensitive information
System access
Where: From remote
Solution Status: Vendor Patch
Software: Adobe Flash CS3
Adobe Flash Player 9.x
Adobe Flex 2.x
Macromedia Flash 8.x
Macromedia Flash Player 7.x
Macromedia Flash Player 8.x
CVE reference: CVE-2007-2022 (Secunia mirror)
CVE-2007-3456 (Secunia mirror)
CVE-2007-3457 (Secunia mirror)
Description:
Some vulnerabilities have been reported in Adobe Flash Player, which can be exploited by malicious people to gain knowledge of sensitive information or compromise a user's system.
1) An input validation error can be exploited to execute arbitrary code when a user e.g. visits a malicious website.
The vulnerability affects versions 9.0.45.0 and prior.
2) An error within the interaction of Flash Player and certain browsers can be exploited to leak key presses to a Flash Player applet.
The vulnerability affects versions 7.0.69.0 and prior on Linux and Solaris. It does not affect Flash Player 9.
A bug has also been reported in the validation of the HTTP Referer in versions 8.0.34.0 and prior, which may aid in e.g. CSRF (Cross-Site Request Forgery) attacks.
Secunia has constructed the Secunia Software Inspector, which you can use to check if your system is vulnerable:
http://secunia.com/software_inspector/
Solution:
Apply updates.
Flash Player 9.0.45.0 and earlier (update to version 9.0.47.0):
http://www.adobe.com/go/getflash
Flash Player 9.0.45.0 and earlier - network distribution (update to version 9.0.47.0):
http://www.adobe.com/licensing/distribution
Flash CS3 Professional (update to version 9.0.47.0):
http://www.adobe.com/support/flashplayer/downloads.html
Flash Professional 8, Flash Basic (update to version 8.0.35.0):
http://www.adobe.com/support/flashplayer/downloads.html
Flex 2.0 (update to version 9.0.47.0):
http://www.stage.adobe.com/support/flashplayer/downloads.html#fp9
Flash Player version 7.0.70.0 for Linux and Solaris reportedly fixes vulnerability #2 for Opera and Konqueror browsers.
Bollettino Secunia
Aggiornate le Flash sia per Firefox che per I.E sono diverse
